DMZ and iptables breaks my head!!! Avanced Help please!!!!
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I guess that Debian Lenny is putting a bug or lock in low layer Ethernet or TCP/IP protocols... ?????????????
I remember that this OS is an upgrade from Debian Etch (Debian v. 4.0) to Debian Lenny (v. 5.0).
It is impossible to install Lenny (v. 5.0) in my server once, at the same time from the same CD. Is a old Compaq Proliant 3000.
In Lenny installer kernel modules, the IDE compatibility was removed, and for that reason HP SCSI ARRAY was not recognized and was not possible to access the RAID 5 and create it (server have 7 SCSI disk on array).
Then I should install the older version (Etch 4.0) and after it was installed Lenny. For this I performed repeated "aptitude safe-upgrade" and "aptitude dist-upgrade". This upgraded v. 4.0 Etch to current v 5.0 Lenny.
I wonder if this form of installation will have left a bad patch or undocumented incompatibility...
Wow!! I hope that "Bingo" means the issue is solved!?!? Or at least the problem is identified?? I read through this thread earlier and admit I became quite at a loss as to what was going on.
Kudos goes to nimnull22 for determinedly persevering despite the very tricky-seeming nature of this problem -- @ numnull2
And congratulations to MikeHammer for sticking with the problem and not giving up! I hope this continues to work out for you
We solve only half of it problem, because firewall allow everything.
Now we have to add rule by rule to make it suitable for use.
Please, I want to give some names to you computers:
1. Computer with 3 NIC = "firewall"
2. Computer with web server = "server".
3. Computers in 192.168.111.x = "client"
Please, if you agree with that name, use them and never confuse.
If you do not like its names - give others.
Firewall rules, which you use for last test = "Rules_new"
So please, load "Rules_new" and do:
lsmod |grep ip
Post output please.
Wow!! I hope that "Bingo" means the issue is solved!?!? Or at least the problem is identified?? I read through this thread earlier and admit I became quite at a loss as to what was going on.
Kudos goes to nimnull22 for determinedly persevering despite the very tricky-seeming nature of this problem -- @ numnull2
And congratulations to MikeHammer for sticking with the problem and not giving up! I hope this continues to work out for you
Sasha
Thanks GrapefruiTgirl ,
All credit goes to the scholarship and stoic patience of nimnull22 and, after, to my persistence in the face of adversity ...
I'm very happy to be in this very special forum, where attitudes like nimnull22 and yours (which involved a moderator and it's not common in general ...) are not random. Because the forum are encouraging them.
We solve only half of it problem, because firewall allow everything.
Now we have to add rule by rule to make it suitable for use.
Please, I want to give some names to you computers:
1. Computer with 2 NIC = "firewall"
2. Computer with web server = "server".
3. Computers in 192.168.111.x = "client"
Please, if you agree with that name, use them and never confuse.
If you do not like its names - give others.
Firewall rules, which you use for last test = "Rules_new"
So please, load "Rules_new" and do:
lsmod |grep ip
Post output please.
Now, out of curiosity, the output of "lsmod | grep ip" from the server with script firewall original (that's origen of problem... ).
Send file lsmod_from_orig_firew.txt
I send you output iptables-save you asked. I warn you that in "firewall", the iptables script don't have port 80 open. This for prevent, while we doing testing servers and NIC eth0 is unneeded, the port scanning from Kaspersky Forum...
Thanks
Last edited by MikeHammer; 12-26-2009 at 10:52 PM.
Before, we start to do anything, I would like to check something.
1. Are you able to telnet from outside to your "server"?
2. Are you able to telnet from "firewall" to your "server"?
3 .Are you able to telnet from any "clients" to your "server"?
So, if you can use main features of your network we can live everything like this.
It will work.
But, still there is "but", I want you to understand the situation:
1. main firewall right now is "firewall" computer, "server" does not filter anything.
that is not bad, that is how it should be.
2. your "firewall" does not have any rules to restrict access to "server" from certain IP addresses, anyone who want to connect to your port 80, will be redirected to "server". If you want to add additional rules, add them to "firewall" rules script.
3. your "server" can initiate an outgoing connection and it will go out. So if you want to prevent it, modify rule on "firewall"
If I find something else I will write.
If you do not see any problems, just live it like this.
You is a notable support on forum but also you are a consistent helper who don't talk about bullshit and goes to target with excelent precission. My respects colleague
One fact more.
Could I attemp chains DROP or this was the trouble???
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.